Bug 584645 (CVE-2010-1173)
| Summary: | CVE-2010-1173 kernel: sctp: crash due to malformed SCTPChunkInit packet | ||||||
|---|---|---|---|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Eugene Teo (Security Response) <eteo> | ||||
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> | ||||
| Status: | CLOSED ERRATA | QA Contact: | |||||
| Severity: | high | Docs Contact: | |||||
| Priority: | high | ||||||
| Version: | unspecified | CC: | arozansk, bhu, davej, dhoward, jkacur, jolsa, jpirko, kmcmartin, lgoncalv, lwang, nhorman, osoukup, pcfe, plyons, pmatouse, rcvalle, rdassen, security-response-team, tao, tcallawa, vgoyal, williams | ||||
| Target Milestone: | --- | Keywords: | Security | ||||
| Target Release: | --- | ||||||
| Hardware: | All | ||||||
| OS: | Linux | ||||||
| Whiteboard: | |||||||
| Fixed In Version: | Doc Type: | Bug Fix | |||||
| Doc Text: | Story Points: | --- | |||||
| Clone Of: | Environment: | ||||||
| Last Closed: | 2012-03-28 08:38:18 UTC | Type: | --- | ||||
| Regression: | --- | Mount Type: | --- | ||||
| Documentation: | --- | CRM: | |||||
| Verified Versions: | Category: | --- | |||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||
| Embargoed: | |||||||
| Bug Depends On: | 584653, 584654, 584655, 584656, 584657, 584658, 584659, 593537, 593538, 593539 | ||||||
| Bug Blocks: | |||||||
| Attachments: |
|
||||||
Created attachment 409211 [details]
patch to pre-allocate error chunk w/ proper space
Heres the patch I've written. It pre-allocates the error chunk assuming worst case conditions, which is that each parameter will be in error (requiring its own sctp errror header).
*** Bug 586631 has been marked as a duplicate of this bug. *** Consider this public. http://article.gmane.org/gmane.linux.network/159531 For completeness: The patch that was committed to the upstream networking git: http://git.kernel.org/?p=linux/kernel/git/davem/net-2.6.git;a=commitdiff;h=5fa782c2f5ef6c2e4f04d3e228412c9b4a4c8809 It has been merged into the vanilla kernel git: http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=032b734d291e3532221b6cf7643a5f41c6261941 (In reply to comment #25) > For completeness: > > The patch that was committed to the upstream networking git: > > http://git.kernel.org/?p=linux/kernel/git/davem/net-2.6.git;a=commitdiff;h=5fa782c2f5ef6c2e4f04d3e228412c9b4a4c8809 > It has been merged into the vanilla kernel git: > > http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=032b734d291e3532221b6cf7643a5f41c6261941 ^^ AFAICS, it's not fixed in upstream yet. What are you talking about, eugene? I sent the patch up, & it went into net-2.6. you were copied on the mail, and have the commit above. (In reply to comment #27) > What are you talking about, eugene? I sent the patch up, & it went into > net-2.6. you were copied on the mail, and have the commit above. but not into linux-2.6 yet. But I guess it will be committed there eventually. (In reply to comment #28) > (In reply to comment #27) > > What are you talking about, eugene? I sent the patch up, & it went into > > net-2.6. you were copied on the mail, and have the commit above. > > but not into linux-2.6 yet. But I guess it will be committed there eventually. It is now. Upstream commit: http://git.kernel.org/linus/5fa782c2f5ef6c2e4f04d3e228412c9b4a4c8809 We will need this patch too: http://marc.info/?l=linux-sctp&m=127372809930656&w=2 commit 5fa782c2f5ef6c2e4f04d3e228412c9b4a4c8809 sctp: Fix skb_over_panic resulting from multiple invalid \ parameter errors (CVE-2010-1173) (v4) cause 'error cause' never be add the the ERROR chunk due to some typo when check valid length in sctp_init_cause_fixed(). Statement: Red Hat is aware of this issue and is tracking it via the following bug: https://bugzilla.redhat.com/CVE-2010-1173. This issue did not affect the version of Linux kernel as shipped with Red Hat Enterprise Linux 3 as it did not include support for SCTP. Future kernel updates in Red Hat Enterprise Linux 4, 5 and Red Hat Enterprise MRG may address this flaw. For more information, please see http://kbase.redhat.com/faq/docs/DOC-31052. This issue has been addressed in following products: Red Hat Enterprise Linux 4 Via RHSA-2010:0474 https://rhn.redhat.com/errata/RHSA-2010-0474.html This issue has been addressed in following products: Red Hat Enterprise Linux 5 Via RHSA-2010:0504 https://rhn.redhat.com/errata/RHSA-2010-0504.html The fix is in upstream release kernels 2.6.34, 2.6.33.6 and 2.6.32.16 This issue has been addressed in following products: MRG for RHEL-5 Via RHSA-2010:0631 https://rhn.redhat.com/errata/RHSA-2010-0631.html This issue has been addressed in mrg1-3 |
Description of problem: Reported by Nokia-CN-Flexi via Issue Tracker. A similar issue was reported by Jukka Taimisto and Olli Jarva from the CROSS open source testing project at Codenomicon Ltd. This was also reported by Windriver on behalf of their customer via vendor-sec. Kernel crash occurs if sctp listening port receives malformatted init packet. Its an skb_over_panic BUG halt that results from processing an init chunk in which too many of its variable length parameters are in some way malformed. The problem is in sctp_process_unk_param: if (NULL == *errp) *errp = sctp_make_op_error_space(asoc, chunk, ntohs(chunk->chunk_hdr->length)); if (*errp) { sctp_init_cause(*errp, SCTP_ERROR_UNKNOWN_PARAM, WORD_ROUND(ntohs(param.p->length))); sctp_addto_chunk(*errp, WORD_ROUND(ntohs(param.p->length)), param.v); When we allocate an error chunk, we assume that the worst case scenario requires that we have chunk_hdr->length data allocated, which would be correct nominally, given that we call sctp_addto_chunk for the violating parameter. Unfortunately, we also, in sctp_init_cause insert a sctp_errhdr_t structure into the error chunk, so the worst case situation in which all parameters are in violation requires chunk_hdr->length+(sizeof(sctp_errhdr_t)*param_count) bytes of data. This fix solves the problem by allowing our implementation to only report a fixed number of errors. When we encounter an error in parameter processing we allocate a chunk that is min(asoc->pathmtu, SCTP_DEFAULT_MAXSEGMENT), limiting our error reporting to a single mtu sized chunk. Parameter errors that grow beyond that value are discarded.